privacybadger icon indicating copy to clipboard operation
privacybadger copied to clipboard
verified publisher icon EFForg

strips x-client-data headers from outgoing requests

Open ablanathtanalba opened this issue 5 years ago • 6 comments

Evidence shows that the x-client-data header in GET requests that Chrome sends could be used for tracking.

This change strips all x-client-data headers from outgoing requests when Privacy Badger is enabled, the user is on Chrome or some Chromium browser, and the option is toggled on.

ablanathtanalba avatar Feb 11 '20 23:02 ablanathtanalba

@ghostwords -- please take another look at this one. question: do you think it's worth lowercasing all the headers on this? I have only ever seen outgoing headers as X-client-data, though I went with the current precedent of lowercasing when checking for them

ablanathtanalba avatar Feb 27 '20 04:02 ablanathtanalba

I will, I just haven't gotten to it yet, sorry.

do you think it's worth lowercasing all the headers on this?

Probably. I'll consider this when reviewing.

ghostwords avatar Feb 27 '20 16:02 ghostwords

No problem, there's no rush :+1:

ablanathtanalba avatar Feb 27 '20 17:02 ablanathtanalba

Some X-Client-Data discussion here and here.

ghostwords avatar Jun 18 '20 19:06 ghostwords

If we ever resume this work, we should make sure to expose this as a setting in the Privacy category on the options page.

ghostwords avatar Nov 06 '20 16:11 ghostwords

Refreshed and rebased this branch, including adding a setting in the options page for user's to toggle this on/off. I'm not sure yet what kind of supplementary information that toggle setting might need to let the user know what's going on (a helper tooltip? a link outwards to some credible article that lays out why x-client-data is fishy?)

ablanathtanalba avatar Sep 30 '21 00:09 ablanathtanalba